diff options
author | Philip Häusler <msquare@notrademark.de> | 2015-12-30 15:48:41 +0100 |
---|---|---|
committer | Philip Häusler <msquare@notrademark.de> | 2015-12-30 15:48:41 +0100 |
commit | ef60b955555ea1d22da8494a34440c3fd2d8b190 (patch) | |
tree | fbe409ee1e4426fab4ea10a51fde324350a4f2fd /includes/controller | |
parent | 1983db901b9b7ea9b87a66ed38f030369dc3a0a4 (diff) |
add a more secure way to delete users containing a password request
Diffstat (limited to 'includes/controller')
-rw-r--r-- | includes/controller/users_controller.php | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php index c560e79a..404b7f9b 100644 --- a/includes/controller/users_controller.php +++ b/includes/controller/users_controller.php @@ -27,10 +27,65 @@ function users_controller() { } } +/** + * Delete a user, requires to enter own password for reasons. + */ +function user_delete_controller() { + global $privileges, $user; + + if (isset($_REQUEST['user_id'])) { + $user_source = User($_REQUEST['user_id']); + } else + $user_source = $user; + + if (! in_array('admin_user', $privileges)) + redirect(page_link_to('')); + + // You cannot delete yourself + if ($user['UID'] == $user_source['UID']) { + error(_("You cannot delete yourself.")); + redirect(user_link($user)); + } + + if (isset($_REQUEST['submit'])) { + $ok = true; + + if (! (isset($_REQUEST['password']) && verify_password($_REQUEST['password'], $user['Passwort'], $user['UID']))) { + $ok = false; + error(_("Your password is incorrect. Please try it again.")); + } + + if ($ok) { + $result = User_delete($user_source['UID']); + if ($result === false) + engelsystem_error('Unable to delete user.'); + + mail_user_delete($user_source); + success(_("User deleted.")); + engelsystem_log(sprintf("Deleted %s", User_Nick_render($user_source))); + + redirect(users_link()); + } + } + + return array( + sprintf(_("Delete %s"), $user_source['Nick']), + User_delete_view($user_source) + ); +} + function users_link() { return page_link_to('users'); } +function user_edit_link($user) { + return page_link_to('admin_user') . '&user_id=' . $user['UID']; +} + +function user_delete_link($user) { + return page_link_to('users') . '&action=delete&user_id=' . $user['UID']; +} + function user_link($user) { return page_link_to('users') . '&action=view&user_id=' . $user['UID']; } |